Personal Data Protection

/05
December 2011

As it is well known, on the 1st of January 2011 the Law "On protection of personal data" came into force and since the 1st of July the State Service on Protection of Personal Data of Ukraine (SSPPD) began registration of personal databases in State Register. Responsibility for the above mentioned Law violation predicts up to 5 years of imprisonment.

However, the way the control on compliance with legislation on protection of personal data has to be exercised was not set in any regulations. Considering this SSPPD published a draft of Regulation on exercising control over protection of personal data on its official website.

This Regulation determines procedure of holding inspections, clearance and consideration of its results, and specifies types and basis for exercising inspections by SSPPD. The draft foresees scheduled and unscheduled inspections of personal database owners / holders. Exercising scheduled inspections of a subject grounds on his inclusion into the SSPPD inspection plan in appropriate quarter and year. The plan is being approved by a relevant order of the SSPPD and is being published on its official website. It should be noted, that, according to the draft, scheduled inspections are to be exercised not oftener then once in 5 years.

The draft also anticipates the possibility of exercising unscheduled inspections in case of appearance of the following grounds:

- receiving by SSPPD of a court decision, as well as investigator’s or prosecutor’s prescript on exercising an inspection;

- statement of an owner or disposer of a personal database about initiation of inspection;

- failure by a subject, claimed to commit violation, to provide explanations or documentary confirmation of absence of such violations within ten working days since obtaining a written inquiry from SSPPD;

- revelation of falsity (possible falsity) in information, presented by a subject of inspection after a written inquiry of SSPPD, or deficiency of such information for assessing the fulfillment of legislation requirements by a subject of inspection;

- subject of inspection complaints on SSPPD decision, presentation of objections on an act of inspection, which contain requirements of full or partial reviewing of the results of relevant inspection or cancellation of a decision based on it, in case there are circumstances which were not examined during the inspection, and fair investigation is impossible without exercising a new inspection (such inspection is being exercised exclusively on issues becoming the subject of appeal);

- expiry of the terms of execution of SSPPD prescript on remedy of defaults of legislation in the field of protection of personal data;

- state authorities application about necessity of SSPPD inspection initiation.

This draft is the latest in the series of SSPPD regulatory system generation, which seems to be formed till the beginning of 2012. And the availability of such system will allow to apply sanctions for violation of the Law "On protection of of personal data", which enter into force from the 1st of January 2012.

Considering the above mentioned, companies and entrepreneurs, who have not yet registered personal databases and have not lead internal documents in accordance with the law, should hurry up and do that till the New Year.